Mashup Security by Compilation
Tamara Rezk
These slides discuss joint work with
Zhengqin Luo and Jose Santos
February 22nd , 2013
Web Client Mashup
• Client-side web
application
• Integrating thirdparty gadgets
• Great way for code
reuse!
Google Maps Gadget
Integrator’s Housing Data
Different kind of Mashups
gadget
The integrator uses the gadget as a library
The gadget reads state from the integrator
Programming model
• Mashups written in HTML + Javascript;
• Two ways to include external gadgets:
– Using script tag
– Using frame tag
Script tag - oversharing
<script src="http://maps.google.com/maps/api/js?sensor=true"></script>
• Gadget has integrator
privileges
• Full exposure JS
execution environment
Google Maps Gadget
Integrator’s
Housing Data
Script tag – security violations
<script src="http://maps.google.com/maps/api/js?sensor=true"></script>
• Confidentiality violation
var steal =
window[“integratorSecret”]
• Integrity violation
window[“price”] = newPrice
Google Maps Gadget
Integrator’s
Housing Data
Script tag – integrity violation
<html>
<head> <script src=http://untrusted.com/untrustedAD.js></script>
</head>
<body>
<script>
var fac= function(x) {
if (x <= 1) {
return 1;
}
return x*fac(x-1);
}
r = fac(3);
s = "alert("+r+")“
setTimeout(s, 100)
</script>
</body></html>
Script tag - integrity violation
Content of http://untrusted.com/untrustedAD.js
setTimeout = function() { EVIL CODE HERE }
Embedded frame – undersharing
<iframe src="http://mapservice.com/maps.html"></iframe>
• Gadget has no privileges
• Same Origin Policy
X
• Isolation of JS execution
environment between
integrator and gadget
Google Maps Gadget
Integrator’s
Housing Data
Embedded frame – undersharing
<iframe src="http://mapservice.com/maps.html"></iframe>
Isolation of JS execution:
X
• Confidentiality violation
var steal =
window[“integratorSecret”]
• Integrity violation
window[“price”] = newPrice
Google Maps Gadget
Integrator’s
Housing Data
Script versus Frame Tag
• Script tag:
– exposes the integrator’s JS environment
– unlimited communication
– not secure
• Frame tag:
– isolates the environment of gadget and integrator
– communication is limited
– more secure than script
In practice: sacrifice security in the name of functionality!
HTML5 and Inter-frame
communication
listener in gadget
listener in integrator
• Frame can communicate
with integrator via
PostMessage:
– confidentiality
– authentication
Gadget
Integrator
HTML5 and Inter-frame
communication
Stub library in gadget
• The Postmash design was
proposed by Barth, Jackson,
and Li [09]
• Put untrusted code in
embedded frame;
• Two stub libraries;
• Proxy e.g. method
invocation by messagepassing;
• No need to change
untrusted code !!
Stub library in integrator
Google Maps Gadget
Integrator’s
Housing Data
Postmash
• How to transform an insecure mashup to a
mashup following the Postmash design?
– Manually writing two stub libraries (gadget
dependent);
– Manually rewriting of integrators’ code;
• Our proposal : automate it and characterize
the security property that it enforces:
Mashic Compiler [CSF’ 12]
Our proposal: Mashic Compiler
• A generic proxy and listener
library
– Gadget independent!
• Integrator transform:
– Adapt to asynchronous
communication,
– Use the proxy library
• Mashic compiler
– Input: insecure mashup
– Output: secured mashup
• Proofs:
– Correctness
• benign gadget
– Security
• JS small-step semantics of Maffeis et
al. with rules to model the same
origin policy
Mashic compiler - Overview
<html>
<iframe src = u’> </iframe>
<script> Proxy </script>
<script> Bootstrap-I </script>
<script> C(I) </script>
</html>
• Pg : gadget code
• Pi : integrator code
where Web(u’ ) =
<script> Listener </script>
<script src = u> </script>
<script>
<html>
<script src = u> </script>
<script> I </script>
</html>
Mashic
compiler
Opaque Handle
• Opaque Handles
– Integrator’s reference to gadget’s object
– E.g.: { is_handle: true Integrator
id : 42}
• Inside gadget
– 42 maps to the real
object.
• Gadget independent!
Framed gadget
Proxy and listener
• Proxy provides interfaces using opaque handles:
1. Example: GET_PROPERTY(ohandle,prop,cont)
2. Send (“get property”, ohandle, prop) via
Postmessage
3. Listener reacts to message:
1. E.g. if ohandle { is_handle: true, id : 42} -> { “prop”: 4}, then listener
responds with 4.
4. Proxy receives the response, applies the continuation cont to
4.
Integrator
Framed gadget
A minimal set of Proxy Interfaces
• GET_GLOBAL_REF
– Get global property
• CALL_METHOD
– Call a method
• CALL_FUNCTION
– Call a function
• ASSIGN_PROPERTY
– Property assignment
• General enough to
encode most real-world
mashups!!
Integrator transformation
• PostMessage is
asynchronous;
• So is our proxy interface;
• Automated CPS
transformation and call
to proxy interfaces of
old integrator code
• An example of rule
Realistic core JS subset
• Small-step core JS
semantics adopted
from Maffeis et al. [08];
• Extended with DOM
semantics and
message-passing;
• A decorated (colored
heap) semantics;
Decorated Semantics
heaps contain objects with
properties that are colored
programs run as colored principal
Formal Guarantees
• Correctness guarantees:
– If the gadget is benign, then the compiled
mashup behaves as the original one.
• Security guarantees:
– If the gadget is not benign, nothing “bad” can
happen in the compiled mashup.
Benign gadget
Intuitively:
• Integrity: A gadget does not try to write a
property belonging to the integrator;
• Confidentiality: A gadget does not try to read
a property of the integrator;
• Formally defined:
Correctness Theorem
For a benign gadget, the compiled mashup
reaches a final configuration indistinguishable
with the one reachable from the original
mashup.
Security Theorem
For any gadget, the compiled mashup
provides integrity and confidentiality for the
integrator.
Prototype Implementation
• A prototype compiler written in Bigloo (a
dialect of scheme)
– 3.3k loc of bigloo and 0.8k loc of Javascript
• Applied to various mashups:
Mashic: Summary
Assumption
Benign Gadget: Passive Gadget
Theorem
Correcteness
The compiled mashup preserves the original semantics
Security
Theorem
After Mashic compilation, the malicious gadget cannot
read/write information belonging to the integrator.
Plus
Browser Independence
Gadget Independence
Extending Mashic
Challenge
Handle Active Gadgets
How?
Gadgets must be allowed to access integrator objects
Add an Access Control layer between gadgets
and the integrator
Supporting Active Gadgets
Integrator.js
Integrator
Allow two-sided
communication
Listener
Proxy
Goal
Controlled
Add proxy and listener
libraries to both the gadget
iframe and to the integrator
code
Listener
Proxy
iframe
Page.html
Current
Uncontrolled
Mashic
Gadget A
Control the communication
from the gadget to the
integrator
Controlling Gadget – Integrator Com.
Integrator.js
Integrator
How?
vl where Listener
l is in LcxLI
Proxy
1
Controlled
Listener
Proxy
iframe
Page.html
Uncontrolled
∑ : Gadgets → LcxLI
Gadget A
Gadget A
Establish a lattice of security
levels
2
AssignLa
security levelLto
I
c
each integrator resource
3
Assign a security level to
each gadget
Confidentiality
Integrity
Check all the gadget –
4
Lcxaccesses
LI
integrator
at
runtime
Ext Mashic: Soundness and Security
Assumption
Benign Gadget: A gadget that only tries to access
integrator information compatible with its security level
Correcteness
Theorem
The compiled mashup preserves the original semantics
Theorem
Security
After Mashic compilation, the malicious gadget can
only read/write integrator information compatible with
its security level.
Information Flow control needed
for the integrator code!
(and only the integrator code)
Information Flow Control needed
• Separation of the gadget using iframe : no need to
analyze gadget code
• Existing work on dynamic monitors (browser
dependent):
•Hedin and Sabelfeld, 12
•Austin and Flanagan, 09,10,12
• Inlining of dynamic security monitors (browser
independent) :
•Sabelfeld et al ‘’10
•Chudnov and Naumann’ 10
Information Flow Control
Labeling in JavaScript
LI
Lc
var o = {};
o[f()] = 1
Confidentiality
f() is a function that returns a
dynamically computed string
Integrity
LcxLI
In the final memory o has a new property unknown before
execution! Static labeling is not always possible.
Labeling Values
Labeled Object
Original Object
p1: v1
Runtime
Labeling
p2: v2
p1: (v1,,l1)
p2: (v2, l2)
p3: (v3, l3)
p3: v3
…
…
pn: (vn, ln)
pn: vn
lo: l
Security Level
of the object
Security levels
of the object
property values
Labeling Values and Instrumentation
Source Integrator Code
…
if(x) {
y = y + x;
} else {
alert(“hello world”)
}
Source Integrator Code
…
if(x.value) {
lpc = x.level ˅ lpc;
y.value = y.value + x.value;
y.level = x.level ˅ y.level ˅ lpc;
} else {
alert(“hello world”)
}
Labeling Values and Instrumentation
Source Integrator Code
…
if(x) {
y = y + x;
} else {
alert(“hello world”)
}
Source Integrator Code
…
if(x.value) {
lpc = x.level ˅ lpc;
y.value = y.value + x.value;
y.level = x.level ˅ y.level ˅ lpc;
} else {
alert(“hello world”)
}
Labeling Properties
Labeled Object
Original Object
p1: v1
Runtime
Labeling
(p1,l1) : v1
(p2 ,l2): v2
p2: v2
p3: v3
…
…
pn: vn
(pn,ln) : vn
lo: l
Labeling Properties
Labeled Object
Original Object
p1: v1
Runtime
Labeling
(p1,l1) : v1
(p2 ,l2): v2
p2: v2
p3: v3
…
…
pn: vn
(pn,ln) : vn
lo: l
Labeling Properties
• Inlining
security monitors becomes more
efficient (no need for an object per value in the
program)
• Opens the path to combining dynamic and
static JavaScript analysis
Dynamic Semantics, extracting constrains
constrains
Conclusions
Mashic Compiler:
– assumption: gadgets used as libraries
– correctness under assumption
– security guarantees based on SOP, characterized
as IF where everything in the integrator is treated
as top security level
– compilation: gadget and browser independent!
Conclusions
Mashic Compiler Extension:
– assumption: two way communication with AC
– correctness under assumption
– security guarantees based on information flow
security
– compilation:
• IF analysis for the integrator using code
instrumentation
• gadget independence regarding IF analysis
• browser independence
Open Questions
• IF analysis for the integrator using code
instrumentation:
– Combining with static analysis? If part of the code is
in a static typable subset [Maffeis 2010] then type check
and instrument the rest.
• Gadget independence regarding IF analysis:
– Still have to adapt to asynchrony of PostMessage … what’s
a good solution to this? shadow pages? [Adjail 2010]
• Making the web ad business model secure
and practical?